Cybercriminals Are Not (Necessarily) Geniuses

On a hot day in June, the cloud security faithful gathered in London to discuss where security for the cloud is heading. Our annual Cloud Security Summit 2018 was an excellent opportunity for business leaders and security veterans to explore some of our industries most pressing issues—and gain valuable insight from keynote speakers like Graham Cluley.

Graham opened the UK Cloud Security Summit with a presentation titled, ‘Top business security risks, and how you can fight back’. I’ve known Graham for years and consider him to be a friend. He is also one of the most respected voices in cybersecurity—with more than 25 years of experience working in and writing about cybersecurity. Graham worked with Dr. Solomon’s—an early pioneer in the antivirus world, which was acquired by McAfee in 1998—and then with Sophos before going solo. His role as an independent security researcher makes him uniquely suited to offer a non-partisan view of the security threats we all need to be aware of.

Graham did an excellent job of framing the issues business face when it comes to cybersecurity and the current threat landscape. Graham’s experience helped make the information both more engaging and more relevant with real-world examples and a healthy dose of common sense perspective.

Cybercriminals – are they geniuses?

The example which seemed to resonate most with the audience revolved around debunking the myth that hackers are evil geniuses or possess superhuman intelligence. Despite the complete disconnect from reality, when people think of cybercriminals, they generally picture the romanticized image portrayed in movies of a socially-awkward loner in a hoodie who can sit down at any computer in the world and hack into the Pentagon in under five minutes. That’s ridiculous on a number of levels.

Graham used a story of the Syrian Electronic Army to illustrate the point. The Syrian Electronic Army is affiliated with the extremist terrorist group ISIS and focuses on raising funds for the caliphate by targeting Westerners. Graham detailed how these hackers were foolish enough to have one of their members in Germany sign a contract with a ransom victim—sending across his passport details and email address in the process. This stranger-than-fiction example serves to illuminate a theme which ran through Graham’s presentation—cybercriminals are not necessarily geniuses, and they are only as successful as they are because we allow them to be.

Reality is more mundane. Far more dangerous than evil genius super-hackers is the fact that many organizations do a poor job of simply identifying vulnerabilities and keeping servers and applications patched and updated. Graham calls unpatched or outdated software “the world’s most common security vulnerability.” Citing the example of the devastating Equifax data breach in 2017, and the patching policy which allowed the Apache Struts vulnerability to slip through the cracks, Graham suggested the fact that a company as big and multi-faceted as Equifax, failed to patch—or at least adequately mitigate—this critical vulnerability is unacceptable.

Beware ransomware

The evolution of ransomware was also touched on by Graham. Cybercriminals continue to adapt and develop new, more insidious ways to extort users. He highlighted Popcorn Time--a recent ransomware strain that includes a twisted social experiment. Rather than paying the ransom, compromised users can choose to infect others as a form of “payment” in order to get their data back for free.

Cybercriminals are not necessarily geniuses, but some are smarter than others. Graham provided examples of ingenious exploits and cybercrimes as well—most notably, the Ukrainian hacker who hacked into three business newswires, which allowed him access to insider trading information in advance of it going public.

The ever-evolving threat landscape

These examples all served to illustrate the same example: These threats are out there, and the threat surface is constantly expanding. At the end of his talk, Graham apologized to the audience for the lack of good news in his presentation. I guess 25 years on the security frontlines can make a security researcher a bit jaded.

About the Author

Tony Bradley

Tony Bradley is Senior Manager of Content Marketing for Alert Logic. Tony worked in the trenches as a network administrator and security consultant before shifting to the marketing and writing side of things. He is an 11-time Microsoft MVP in security and cloud and has been a CISSP-ISSAP since 2002. Tony has authored or co-authored a dozen books on IT and IT security topics, and is a prolific contributor to online media sites such as Forbes and DevOps.com. He has established a reputation for effective content marketing, and building and engaging a community and social media audience.